Skip navigation
Documentation

Administration - Using the Admin Panel and Changing Settings

Contents

Customize your Duo experience by changing global settings in the Duo Admin Panel.

To access the Admin Panel, navigate to https://admin.duosecurity.com , enter your administrator account email address and password, and click Log In. After your login is accepted, you then must authenticate using a second factor. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication See Managing Duo Administrators for instructions.

The browser used to access the Admin Panel must support TLS 1.2, which most modern browsers do by default. If you are concerned about compatibility, please update your browser or check your browser’s SSL implementation here: https://www.ssllabs.com.

Changing Administrative Settings

Administrators may use the Settings page in the Duo Admin Panel to customize account branding and second factor features. To access these features, log in to the Duo Admin Panel and click Settings in the left sidebar. Be sure to click the Save Changes button at the bottom of the page after updating any settings.

Role required: Owner or Administrator (Billing role may not access the Settings page, other roles may view but not modify settings).

General Settings

At the top of the Settings page you can change your Account name, Region, Language, Preferred timezone, or Logo. The Region and Preferred timezone selections apply to most dates and timestamps in the Duo Admin Panel.

Change the Language setting from English to display the browser-based Duo Prompt in French or German to your end users. This setting is global; users see the selected language in the authentication prompt no matter their actual location.

The Account Name and Logo specified here will be displayed in your Duo Admin Panel, and seen by your users during enrollment and authentication via browser, as well as in the Duo Mobile app. The logo image must be in PNG format and not exceed 500 by 500 pixels and 200 KB. We recommend a 304 by 304 pixel logo image with a transparent background for the best results.

As an example, if you upload a company logo and change the account name to "Acme Corp." like so:

General Settings

The account appears in Duo Mobile as follows:

Duo Mobile Accounts Screen

The company logo you update here is also shown in the Duo Prompt.

Authentication prompt with Duo branding

The Duo authentication prompt displays the text "Powered by Duo Security" by default. To remove this statement from your authentication prompt, clear the Duo branding General settings option.

Authentication Methods

In paid plans that include Duo's policy engine, like the Duo Access or Duo Beyond plans, use the policy editor to change the "Authentication Methods" policy setting globally or for specific applications and users. See the Policy & Control documentation for more information.

Duo's available authentication methods are: - Duo Push: Duo sends an authentication request to the Duo Mobile app on a smartphone. - Duo Mobile passcodes: Users enter a one-time passcode (OTP) generated within the Duo Mobile app. - Phone callback: Duo calls a user's cell phone or landline for authentication approval. - SMS passcodes: Users enter a one-time passcode (OTP) sent via text message to a cell phone. - U2F tokens: Users tap a USB device to approve authentication. - Hardware tokens: Users enter a one-time passcode (OTP) generated by a physical authenticator (may only be disabled from the policy engine).

Administrators of Duo MFA plans without the policy engine can restrict the factors allowed for authentication by disabling unwanted methods in the "Authentication Methods" section of the Settings page.

Authentication method settings

U2F Tokens

Universal 2nd Factor (or U2F) is an authentication standard from the FIDO alliance. All Duo editions include U2F. U2F tokens require Chrome 41 and later or Opera 40 and later, and are compatible with Duo's browser-based applications that feature inline enrollment and authentication prompt.

Users may self-enroll the U2F token via the Duo enrollment prompt or device management portal, or Duo admins can enroll a U2F token on behalf of a given user. Once a U2F token is enrolled in Duo, the user simply taps it at the Duo Prompt to complete login.

Duo MFA customers who see the top level Policy navigation item in their Admin Panel don't need to allow U2F on the Settings page; it's already allowed. If you're on Duo's Duo Access or Duo Beyond plans, U2F usage is also already allowed. Use the policy editor to enable U2F Tokens in the "Authentication Methods" policy setting globally (the only option for MFA) or for specific applications and users. See the Policy & Control documentation for more information.

Duo MFA customers who don't see the the top level Policy navigation item in their Admin Panel (typically a customer who signed up for Duo before April 2015) must first allow U2F token usage to make U2F an available authentication method for users. While on the Settings page, scroll down to the "Authentication Methods" section and check the box next to the Allow the use of U2F tokens under the "U2F Tokens" option shown in the "Authentication Methods" section. Scroll down to the bottom of the page and click the Save Changes button when done.

U2F unavailable as an Authentication Method

Enabling the U2F token labs feature adds "U2F token" to the list of enabled Authentication Methods and enables U2F by default.

If you don't want your users enrolling U2F tokens yet, uncheck the box next to U2F token in the list of "Enabled methods" and scroll down to the bottom of the "Settings" page to click the Save Changes button.

Restricting Authentication Methods

There are many ways that users can receive their second authentication factor when logging in: they can receive a Duo Push request in the Duo Mobile app, they can be sent a passcode via SMS, they can receive an automated voice call, and so on (see our detailed explanation of all Authentication Methods).

For example, if you uncheck the phone callback authentication method and save this change, phone call no longer appears as an option in the authentication prompt.

If all methods are deselected then only hardware token passcodes or bypass codes may be used authenticate.

Authentication prompt without phone call option

Note: Even if Duo Push is disabled, users will still be able to use Duo Mobile to generate a one-time passcode (much as they might with a hardware token). You can prevent users from using the app to generate one-time passcodes by unchecking the Duo Mobile passcodes authentication method.

Phone Calls Settings

In the "Phone Calls" section of the Settings page you can customize your users' experience of callback-based second-factor authentication. Set the "Outgoing caller ID" so that automated calls from Duo appear to come from a specific number within your organization (such as main reception or tech support).

The default setting allows users to press any key to approve an authentication request. You can customize which keys may be used for authentication approval or reporting fraudulent requests in the "Phone callback keys" section.

Phone calls settings

SMS Passcodes

In the "SMS Passcodes" section of the Settings page, admins can customize the message sent to users with SMS passcodes, as well as the number of passcodes sent in each batch (up to 10). Sending multiple passcodes in one SMS message is cost-effective for both users and organizations. For additional security, SMS passcodes can be set to expire after a set time. A new batch can be automatically sent after the last passcode is used, so users are never without an authentication passcode.

SMS passcodes settings

These settings do not affect passcodes used by Duo administrators to log into the Admin Panel.

Lockout and Fraud

In the "Lockout and Fraud" section of this page, you can adjust the number of consecutive failed authentication attempts allowed before the user's account is locked out to prevent brute force attacks. The user lockout counter increments after each failed authentication attempt (such as push timeout or incorrect passcode entered). The default lockout threshold is ten failed attempts.

If "Auto-lockout expiration" is enabled, a locked-out Duo user is automatically moved back to "Active" status after the specified amount of time. Otherwise, locked-out users may not log in until you manually change that user's status from "Locked Out" to "Active" or "Bypass".

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking their username. You will see the user's current status in the "Status" section of the user properties page:

    Locked out user

  3. Re-enable the user by selecting the desired status, then scroll down and click the Save Changes button.

You can also specify who to email when a lockout is triggered with the "Alert email" setting. Notify all admins sends an email to all Duo administrators at each user lockout. Use the Notify a specific email address field to limit which Duo administrators receive lockout notifications or to specify a distribution list. Lockout events trigger no emails with the Do not notify option enabled.

Enabling the "Anomaly Detection" setting provides enhanced protection from fraudulent authentication requests for Duo Mobile users. Check the box next to Block anomalous Duo Push attempts to activate this option. Anomaly detection prevents Duo Mobile from receiving multiple push requests per user within a short period of time. Users will need to wait one minute before requesting another Duo Push. Authentication Log entries alert administrators to the behavior. Customers who have created automation leveraging two-factor authentication should add delays to their process to avoid triggering anomaly detection.

See Raising the Bar - Anomaly Detection in the Duo Blog for more information about anomalous push detection. If you are unsure of whether to enable this feature, please contact support.

Lockout and fraud settings

Telephony Credits

Duo supports telephony-based authentication via phone calls and SMS messages. Each authentication call or SMS message is debited from your telephony credit balance. Paid accounts are issued credits yearly, and may purchase extra telephony credits as needed. Duo Free accounts do not receive automatic credit refills, but may purchase additional telephony credits.

If you ever exhaust your telephony credit balance, your users will not be able to receive authentication phone calls or text messages. To avoid this, Duo automatically notifies all account administrators when the credit balance falls below a pre-determined percentage of your total credits.

You can configure the credit balance email alert in the "Telephony Credits" section of the settings page. Change the "Low-credit alerts" option to Alert when account has fewer than _ credits and enter a number in the blank to change when the alert gets triggered. You can also change the low-credit alert email recipient by entering an email addresses in the Low credit alert email field. If no email is specified then all Duo administrators receive the low-credit alert email.

The rate card shows how many credits each SMS message or telephone call consumes per country. By default, Duo restricts the maximum telephony credits used per transaction to 20 credits. If your users are in locations with more expensive telephony rates you can increase the 20 credit maximum. Conversely, if you know that telephony rates for your users should never exceed a certain amount you may reduce the maximum allowed credits below 20. To raise or lower the maximum credit usage per user authentication, enter the desired number in the Max credits per action box.

Telephony credits settings

Inactive User Expiration

Since Duo is licensed on a per-user basis, you are charged based on the number of users you have in Duo, regardless of their activity. Duo's default behavoir with regard to inactive accounts is to do nothing. Admins may choose to automatically remove inactive users from Duo after a set period. To do this, click the radio button next to Expire users after a set period of inactivity and enter the maximum number of days an inactive user will be permitted to remain in Duo. The number of inactive days is calculated from the last successful Duo authentication. Failed authentication attempts do not reset the inactivity counter.

Inactive user expiration settings

If this option is enabled, users who do not authenticate for the specified number of days are moved into the "Trash" users view and put into "pending deletion" status. This also applies to existing users who have not authenticated within the newly configured inactivity period. After seven days with "pending deletion" status, the user is permanently deleted from Duo. If the user successfully authenticates to Duo during the seven day "pending deletion" period, then the user is restored to normal active status in Duo and the inactivity timer is reset.

For example, you may have users who were enrolled in Duo 100 days ago but some have not authenticated since shortly after enrolling. If you enable inactive user expiration and set the maximum number of days to 90, then users who last authenticated more than 90 days ago are moved into the Trash to be deleted seven days later if they do not authenticate again. Going forward, any user whose inactivity counter reaches 90 days will also be put into the Trash for seven days, and then deleted if they do not authenticate again during the seven day waiting period.

A user deleted by the system for inactivity will need to re-enroll in Duo in order to authenticate again.

Inactive user expiration doesn't apply to users managed by Directory Sync. Those users remain in Duo as long as they're present in the source directory groups selected in your directory sync configuration. When you remove users from all groups you've synced to Duo in the source directory, the next scheduled sync places those users into the Trash for deletion in seven days.

Security Checkup

The Duo Mobile app's Security Checkup feature checks and reports on a user's iOS or Android device security hygiene in the application itself. Potential device security issues, like an outdated operating system or lack of screen lock, are flagged within Duo Mobile for action by the user. The Security Checkup is enabled by default. You can change this on the Settings page.

Duo Mobile Security Checkup

Security Checkup always verifies device settings against Duo's recommended security settings, regardless of any authentication device policy settings you've created. For instance, Security Checkup flags rooted status on an Android device whether you've enabled a policy that blocks authentication from rooted or jailbroken devices or not.

Security Checkup doesn't block users from authenticating if it does find any issues with a user's phone. Be sure to implement Duo policy restrictions to prevent access and authentication for users with device security issues.

With Security Checkup enabled, Duo Mobile checks these device attributes:

Android Devices

  • Operating system up to date
  • Duo Mobile app up to date
  • Full Disk Encryption enabled
  • Screen Lock enabled
  • Device not rooted
  • Passes Google SafetyNet Attestation
  • Fingerprint enabled

iOS Devices

  • Operating system up to date
  • Duo Mobile app up to date
  • Screen Lock enabled
  • Device not jailbroken
  • Biometric verification enabled

Security Checkup notifies users about detected issues via a pop-up at the bottom of the app screen, which they can tap to see more information. End users can always view their device's security posture from within the Duo Mobile app. On iOS go to MenuSecurity Checkup and on Android go to MenuSettingsSecurity Checkup.

Example: Android device with all recommended settings

Android Security Checkup without Issues

Example: iOS device without all recommended settings

iOS Security Checkup with Issues

Duo Restore

Enable Duo Restore for the Duo Mobile app if you'd like to give your end users the ability to backup Duo account information from the Duo Mobile app to Google Drive (Android devices) or iCloud (iOS devices). They can use this saved backup information to recover those Duo accounts to a replacement device of the same platform as the original backup.

Duo Restore differs from the self-service portal feature as follows:

  • Any edition may use Duo Restore, even Duo Free.
  • Duo Restore does not require enabling the self-service portal on any application.

When enabling Duo Restore, you'll designate a specific Duo-protected application to use with this feature. Users need to perform primary authentication as required by that designated application, plus Duo authentication using any other factor available to them, such as phone call approval, a hard token or SMS passcode, an administrator-issued bypass code, etc. As such, we don't recommend selecting an application to use with Duo Restore that also has an authentication methods policy applied which restricts use of factors other than Duo Push, as this prevents user recovery of accounts using Duo Restore to a new device unless your users typically have a second device already activated for Duo Push.

To enable Duo Restore:

  1. Select a web-based application you're already protecting with Duo from the drop-down list.
  2. Provide the URL of the application chosen in step 1 in the space provided.
  3. Scroll down to the bottom of the Settings page and click the Save Changes button.

Duo Mobile App Restore

After enabling Duo Restore your end users can avail themselves of the the Duo Mobile app's account recovery options after installation on a new device.

To learn more about Duo Restore, including the experience for end users, see the guide to Duo Mobile account recovery.

Please note that Duo's app account backup and restore will not restore any third-party service accounts (where users scanned a barcode to enable 2FA on an external service like Facebook or Twitter) to a replacement device. After completing Duo Restore on a new device, a user needs to manually reactivate the Duo app for any third-party services. Note that an iOS user who backs up their device to iCloud can restore both Duo and third-party accounts to the same device. This is not possible for Android devices.

Logging

By default Duo authentication, telephony, and administrator action log entries are retained indefinitely. The "Logging" settings allow you to specify a retention period by selecting the Delete logs after _ days option and entering the maximum number of days to retain the log entries. When this option is set to delete, log entries older than the given number of days are purged.

Logging Settings

Help Desk

Customize the help message shown to your users in the Duo browser prompt with the "Message" setting. Use this field to provide instructions to your users, such as directing them to call or email your organization's support group, or to show the URL of your service desk or device management portal (which they can copy and paste into a new browser tab).

Enter text up to 200 characters; HTML formatting or hyperlinks are not allowed.

Help Desk Settings

The text you specify here displays when a user clicks the "Need help?" link on the left side of the Duo prompt.

Custom Help Text in Duo Prompt

A bypass code is a passcode created as a backup authentication factor when a user's enrolled devices aren't available. Duo admins with the Owner, Administrator, User Manager, or Help Desk roles may create bypass codes for end users. You may optionally restrict your Help Desk admins' ability to customize bypass codes with the Do not allow Help Desk admins to customize bypass codes setting. Enabling this hides all customization options from the Help Desk, and any bypass codes they create are valid for the number of minutes you specify here.

Prevent your Help Desk admins from issuing bypass codes entirely by enabling the Do not allow Help Desk admins to create bypass codes option under Help Desk settings.

Admin Password Policy

The "Admin Password Policy" settings define the length and strength requirements for Duo administrative user passwords. The default setting for new Duo customers requires administrator passwords with a minimum length of 12 or more characters. Existing Duo customers who currently have the minimum password length set to a value less than 12 may increase this value incrementally, but once increased may not decrease it.

To change the minimum password length to a value greater than the default, enter the desired number of characters in the Minimum length box.

To enforce password complexity, next to the Require at least one option select any combination of uppercase letter, lowercase letter, number, or special character.

Admin Password Policy Setting

FIPS 140-2

Passcodes generated by any recent version of Duo Mobile app on iOS 6 and later or by the Duo Mobile app for Windows Phone 8.1/10 version 2.0 are FIPS 140-2 Level 1 compliant by default, as are hardware tokens purchased from Duo.

Customers who need FIPS 140-2 passcodes on Android devices can enforce this through the "FIPS 140-2" setting. If you do not see this option please contact Duo support to have this setting enabled for your account.

FIPS 140-2 Setting

When enabled, Android devices with Duo Mobile version 3.12 and later generate FIPS 140-2 Level 1 passcodes. Users may not authenticate with passcodes generated by earlier versions of Duo Mobile on Android.

Duo Push and phone call verification are unaffected by this setting, and Android devices with any version of Duo Mobile may approve Push and Phone authentication requests.

When deploying Duo two-factor authentication in a FIPS environment, use the Authentication Methods policy to permit use of only the authentication factors that meet organizational compliance requirements.

Enrollment Email

The "Enrollment Email" setting lets you customize the message sent to users imported from into Duo via Active Directory, OpenLDAP, or Azure when the synced directory has the "Send enrollment email to synced users" option enabled. You can choose to include your company logo in the email, which is the same logo image you uploaded in the General section of the Settings page.

Enrollment email settings

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free